The Hacker News — Cyber Security, Hacking, Technology News

A new Spam email campaign making the rounds in Germany are delivering a new variant of a powerful banking malware, a financial threat designed to steal users’ online banking credentials, according to security researchers from Microsoft.

The malware, identified as Emotet, was first spotted last June by security vendors at Trend Micro. The most standout features of Emotet is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections by hooking into eight network APIs, according to Trend Micro.

Microsoft has been monitoring a new variant of Emotet banking malware, Trojan:Win32/Emotet.C, since November last year. This new variant was sent out as part of a spam email campaign that peaked in November.

Emotet has been distributed through spam messages, which either contain a link to a website hosting the malware or a PDF document icon that is actually the malware.

HeungSoo Kang of Microsoft’s Malware Protection Center identified a sample of the spam email message that was written in German, including a link to a compromised website. This indicates that the campaign primarily targeted mostly German-language speakers and banking websites.

The spam messages are written in such a way that it easily gain the attention of potential victims. It could masquerade as some sort of fraudulent claim, such as a phone bill, an invoice from a bank or a message from PayPal.

Once it infect a system, Emotet downloads a configuration file which contains a list of banks and services it is designed to steal credentials from, and also downloads a file that intercepts and logs network traffic.

Network sniffing is especially a disturbing part of this malware because in that a cyber criminal becomes omniscient to all information being exchanged over the network. In short, users can go about with their online banking without even realizing that their data is being stolen.

Emotet will pull credentials from a variety of email programs, including versions of Microsoft’s Outlook, Mozilla’s Thunderbird and instant messaging programs such as Yahoo Messenger and Windows Live Messenger.

All the stolen information is sent back to Emotet’s "command and control (C&C) server where it is used by other components to send spam emails to spread the threat," Kang wrote. "We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A."

However, there is one technique to stop these spam messages — just reject all those messages that come from bogus accounts by checking whether the account from which you have received the spam email really exists or not.

Users are also advised not to open or click on links and attachments that are provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.

We are living in an era of smart devices that we sync with our smartphones and make our lives very simple and easy, but these smart devices that inter-operates with our phones could leave our important and personal data wide open to hackers and cybercriminals.

Security researchers have demonstrated that the data sent between a Smartwatch and an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users' data, including everything from text messages to Google Hangout chats and Facebook conversations.

Well this happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text.

Researchers from the Romania-based security firm Bitdefender carried out a proof-of-concept hack against a Samsung Gear Live smartwatch and a paired Google Nexus 4 handset running Android L Preview. Only by using sniffing tools available at that moment, the researchers found that the PIN obfuscating the Bluetooth connection between both devices was easily brute forced by them.

Brute force attack is where a nearby hacker attempts every possible combination until finding the correct one. Once found the right match, they were able to monitor the information transferring between the smartwatch and the smartphone.

VIDEO DEMONSTRATION

You can watch the Proof-of-Concept video below, ran on a Samsung Gear Live smartwatch and a paired Google Nexus 4 device running Android L Preview.

The researchers explained that their findings were "pretty consistent with [their] expectations" and without a great deal of effort, an encrypted communications between wearable technology and smartphones could be cracked and left open to prying eyes.

This new discovery is important particularly for those who are concerned about their personal data, and considering the increase in the market of smartwatches and wearable devices at the moment, the discovery will definitely made you to think before using one.

HOW TO PROTECT YOURSELF FROM SUCH ATTACKS

To protect yourself to be a victim of such attacks, use Near Field Communication (NFC) to safely transmit a PIN code to compatible smartwatches during pairing, but that would likely increase the cost and complexity of the devices. In addition, "using passphrases is also tedious as it would involve manually typing a possibly randomly generated string onto the wearable smartwatch," the report said.

Another option is to use original equipment manufacturers (OEMs) by Google as an alternative to make data transfers between either device more secure. "Or we could supersede the entire Bluetooth encryption between Android device and smartwatch and use a secondary layer of encryption at the application level," the report offered. There are almost certainly other potential fixes available.

The hike in the banking malware this year is no doubt almost double compared to the previous one, and so in the techniques of malware authors.

Until now, we have seen banking Trojans affecting devices and steal users’ financial credentials in order to run them out of their money. But nowadays, malware authors are adopting more sophisticated techniques in an effort to target as many victims as possible.

BANKING MALWARE WITH NETWORK SNIFFING

Security researchers from the Anti-virus firm Trend Micro have discovered a new variant of banking malware that not only steals users’ information from the device it has infected but, has ability to “sniff” network activity in an effort to compromise the devices of same network users as well.

The banking malware, dubbed as EMOTET spreads rapidly through spammed emails that masquerade itself as a bank transfers and shipping invoices. The spammed email comes along with an attached link that users easily click, considering that the emails refer to their bank or financial transactions.

Once clicked, the malware get installed into users’ system that further downloads its component files, including a configuration and .DLL file. The configuration files contains information about the banks targeted by the malware, whereas the .DLL file is responsible for intercepting and logging outgoing network traffic.

The .DLL file is injected to all processes of the system, including web browser and then “this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file, wrote Joie Salvio, security researcher at Trend Micro. “If strings match, the malware assembles the information by getting the URL accessed and the data sent.”

ENCRYPTED STOLEN DATA

Meanwhile, the malware stores stolen data in the separate entries after been encrypted, which means the malware can steal and save any information the attacker wants.

"The decision to storing files and data in registry entries could be seen as a method of evasion", Salvio said. "Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason."

HTTPS CONNECTIONS KICKED

Moreover, the malware has ability to even bypass the secure HTTPs connection which poses more danger to users’ personal information and banking credentials, as users will feel free to continue their online banking without even realizing that their information is being stolen.

This kind of financial threat is really dangerous for the people, because previous banking malwares often rely on form field insertion or phishing pages to steal users’ financial information, but the use of network sniffing in the malware, makes the threat even more harder for users to detect any suspicious activity as no changes are visibly seen, said the researcher.

Researchers are still investigating that how the malware sends the gathered data sniffed from the network to the attacker.

MALWARE DISTRIBUTION OVER WORLD MAP

The malware infection is not targeted to any specific region or country but, EMOTET malware family is largely infecting the users of EMEA region, i.e. Europe, the Middle East and Africa, with Germany on the top of the affected countries.

Users are advised to do not open or click on links and attachments provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.